Palo Alto Networks Security Advisories / CVE-2021-3036

CVE-2021-3036 PAN-OS: Administrator secrets are logged in web server logs when using the PAN-OS XML API incorrectly

047910
Severity 4.4 · MEDIUM
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact NONE
Availability Impact NONE

Description

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly.

This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API and exists only when a client includes a duplicate API parameter in API requests.

Logged information includes the cleartext username, password, and API key of the administrator making the PAN-OS XML API request.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.0< 10.0.1>= 10.0.1
PAN-OS 9.1< 9.1.6>= 9.1.6
PAN-OS 9.0< 9.0.12>= 9.0.12
PAN-OS 8.1< 8.1.19>= 8.1.19

Required Configuration for Exposure

This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API.

Severity: MEDIUM

CVSSv3.1 Base Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-532 Information Exposure Through Log Files

Solution

This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.12, PAN-OS 9.1.6, PAN-OS 10.0.1, and all later PAN-OS versions.

After you upgrade the PAN-OS appliance, you must change the passwords and generate a new API key for all impacted PAN-OS administrators.

Workarounds and Mitigations

You must change the passwords and generate a new API key for all impacted PAN-OS administrators. Confirm that there aren’t any PAN-OS XML API requests that repeat API parameters in the request.

Acknowledgments

Palo Alto Networks thanks David Tien of Cyber Risk for discovering and reporting this issue.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.